Merge pull request #209 from torbeneims/torbeneims-document-settings-pin

Document settings PIN
Aircoookie · Jun 10, 2024 · b7ed662 · b7ed662
2 parents 0316b97 + 8e0bf3f
commit b7ed662
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/docs/advanced/security.md b/docs/advanced/security.md
@@ -21,19 +21,22 @@ A: Technically not. The ESP8266 uses unencrypted HTTP traffic. Implementing HTTP
 
 A: WLED comes with the ability to carry out a software update via WiFi (OTA). However, no one must be able to flash a malicious new binary firmware to steal your WiFi credentials or make your ESP part of a botnet. Therefore, you should enable the "OTA Lock" setting and change its default passphrase "wledota".
 
-### 3: Can I protect the light configuration or the settings page?
+### 3: Can I protect the light configuration?
 
 A: Currently not. This is not sensitive information like your WiFi password. Anyone with your IP and port can control the lights. Open an issue if it should ever happen that somebody plays with your lights. I might consider adding an optional password lock then. For now, it is way too cumbersome for what it does.
 
-### 4: I want to do a software update, but it says "OTA lock active"?
+### 4: Can I protect the settings page?
+A: Yes, you can set a settings PIN in the `Security & Update setup`. Remember that WLED uses unencrypted transmission, so be prutent when selecting a PIN and do NOT reuse banking, etc. pin. After changing or entering the PIN, WLED will stay unlocked for 15 minutes before asking again when accessing any of the settings pages.
+
+### 5: I want to do a software update, but it says "OTA lock active"?
 
 A: You need to go to the settings page. Untick the "OTA Lock" setting and input your passphrase in the field below it.
 Now apply the settings and reboot. After that you can carry out the software update. Don't forget to re-enable OTA Lock afterwards! To enable, you don't have to enter the passphrase, unless you want to change it. For the lock to work you need to apply and reboot again.
 
-### 5: Why is this OTA lock stuff that important?
+### 6: Why is this OTA lock stuff that important?
 
 A: Your unencrypted WiFi password is stored in the module's EEPROM. It would be easy to "update" the software to a malicious version which sends your password to the attacker. OTA Lock makes sure only those with the passphrase may carry out a software update. And yes, while you can disable OTA lock by doing a factory reset, this would also kill the WiFi connection to the attacker.
 
-### 6: Anything else?
+### 7: Anything else?
 
-A: A personal tip from me is not to give anyone your IP to control the software who you do not wish to do so on a regular basis. It is not critical from a security standpoint, but it can be very annoying if someone plays with your lights, or even worse, change your AP credentials to the point where you can no longer access the module except via USB.
+A: A personal tip from me is not to give anyone your IP to control the software who you do not wish to do so on a regular basis. It is not critical from a security standpoint, but it can be very annoying if someone plays with your lights, or even worse, change your AP credentials to the point where you can no longer access the module except via USB.